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(57) Abstract 

An arrangement is 
described for protecting items 
of information of a database 
against use without permit from 
the proprietor of the rights. 
By rendering meaningless an 
item of information in the 
database which is not to be 
exploited without permission, 
by encrypting or otherwise 
corrupting, or moving from 
the database to a storage 
location hidden to the user a 
function associated with the 
item of information for the 
control of the interpretation and 
presentation thereof to a user 
by a computer, this function 
becomes unavailable for the 
utilization in the computer 
of the user and hence, the 

corresponding item of information cannot be correctly interpreted. Thus, it will be possible to exploit such selected items of information 
stored in a database only with a corresponding authorization. 
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PROTECTION OF DATABASE CONTENTS AGAINST USE WITHOUT PERMIT 



Technical Field 

Present invention relates to protection of databases against use without permit from the 
5 rights owner, and in particular a method of preventing non-authorized exploitation of 
information contained in a database, a method and device for the preparation of 
information in a database to be exploited in a computer only with a corresponding 
authorization, and a method and device to enable authorized exploitation in a computer, 
of information from a database which is prepared according to one aspect of the 
10 invention. 

The invention is just as usable in connection with databases which are available to the 
public at large and which typically are reached through a communication network, such 
as INTERNET, in particular, as with databases delivered to individual customers on a 
15 computer readable carrier medium, such as in particular a CD-ROM (read only compact 
laser disc), preferably for local exploitation in a computer or workstation, particularly a 
personal computer (PC). 

To be able to retrieve from a database information contained therein, the information is 
20 generally stored in a structured manner according to predetermined rules and criteria. 
For example, a database can be arranged such that by naming a selected word for a 
topic all occurrences or entries in the database in which the topic word is present are 
fetched one after the other, or it is produced a list of the locations in the database in 
which the topic word is present, or the like. The information stored in a database has 
25 the form of data which by the retrieval must be "translated" from the computer 

representation to a language or manner of expression comprehensible to human beings. 
Hence, the data may represent plain text, audio, images, hypertext, animations, etc. 
Currently, a plurality of standard formats are used to handle such data for various 
purposes which specify how storage and transfer of data are to take place, for example, 
30 and which are decisive for the "translation" of the data into human comprehensible form. 
The formats are available to everybody. For example, data representing text and 
graphics can be stored and transferred in Postscript or PDF formats, video stills in GIF 
or JPG format, live video images in MPEG or QCIF format, etc. 



35 



By using an individual format a specifically coded and often additionally compressed or 
packed representation of the information is achieved in the form of objects, for example, 
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as in the case of an object oriented database. Usually, therefore, a corresponding 
special software is required to interpret the data formatted in this way to present them in 
a manner directed at human beings, such as in the form of a text or a picture accom- 
panied by audio, or not, on a medium suitable therefor, such as a display screen, paper, 
5 etc. As a rule, such software is easily available to a user, and in addition often free of 
charge, by being included on the same physical carrier medium as the database, for 
example, such as on the same CD-ROM as that carrying the delivered database, this in 
particular being the case with respect of so-called multimedia products, or by fetching 
the software through the same network as that by which the database is reached, such 
10 as typically is the case where INTERNET, for example, is used. 

Databases containing information (data) represented by means of more than one of the 
formats mentioned above, i.e. especially multimedia databases, will, by and by, be easily 
available to the people at large and increasingly more commonly used. Such databases 
15 would be available locally, such as on a laser disc of some kind, or through a network, 
such as INTERNET, and later also public telecommunication networks (particularly ISDN 
- Integrated Services Digital Network). 

Background Art 

20 Today there are databases which are open giving everybody unrestricted admission but 
there are also databases which are closed to the public in general and where a 
password og other authentication is required to get admission at all. Databases contain 
pieces of information, however, which for different reasons are more or less valuable to 
the owner, and which then can be said to belong to an "open" and a "closed" class, 

25 respectively. In such a case, a commonly used protection by password of the admission 
to the database as such, will shut the public in general out from the database as a 
whole, this being undesirable to many database owners, whereas, on the other hand, 
free admission would give access also to the "closed" class of information, which, of 
course, is not desirable. 

30 

So, where it is desirable to distribute through a network or on CD-ROMs particularly 
costly data, such as maps, animations, etc. stored in a database accessible to 
everybody, to restricted groups of users or customers, it must be possible to protect the 
information intended for such distribution against use without authorization, if the 
35 distribution should be justifiable in a business-like way. There are, however, no known 
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methods or techniques that provide sufficient protection as against abuse of such costly 
data which are retrievable from an otherwise "open" database. 

Therefore, there is a need for a mechanism or arrangement which makes it possible to 
5 protect selected portions of the contents of a database against abuse, and which 
enables the owner of a database to give users having various demands permission to 
get information from those portions of the database which correspond to their needs but 
not from other portions thereof. Then, the owner can make a charge depending on the 
authorization given to the individual customers, and especially entrusted users only can 
10 be given admission to any secret information (data) in the database at the same time as 
everybody are presented with at least the "home page" of the database when calling the 
base. 

Thus, a purpose of the present invention is to provide a protection arrangement enabling 
15 database owners and/or the proprietors of the pieces of information stored in a database 
to protect their product against use without permit, in such a manner that the entire 
database or portions thereof may be copied and freely distributed while the database, in 
principle, is open to everybody but still in such a manner that selected portions of the 
contents therein cannot be utilized unless the necessary permission or authorization 
20 exists. 

Furthermore, a purpose of the invention is to provide a protection arrangement of a 
universal nature being capable of handling not only individual entries or objects in a 
database, but complete databases, whereby different authorizations can be assigned at 
25 a plurality of levels with respect of different selected portions of the database contents, 
for example. 

These and other purposes should more clearly appear from the description below of 
exemplary preferred embodiments of the present invention taken in combination with the 
30 appended drawings. 

Description of Invention 

In a first general aspect of the present invention it is provided a method of preventing the 
contents of a database from being used without permit, whereby at least a selected 
35 portion of the contents of the database is caused to be incomprehensible to a user, said 
portion then being converted into comprehensible form by means of a key if permission 
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exists, the method of the invention being characterized in rendering meaningless said at 
least one selected portion of the contents of the database by encrypting, or otherwise 
corrupting, or moving from the database to a storage location hidden to the user at least 
one parameter associated with the selected portion for the control of the interpretation 
5 and presentation to a user by a computer, of data in that portion of the database in such 
a manner that the parameter is not available for utilization in the user's computer and 
said data cannot be correctly interpreted for the presentation to the user. 

Hence, the invention also relates to a method of allowing exploitation of the contents of a 
10 database only with a corresponding permit, whereby those selected portions of the 
contents of the database which are caused to be incomprehensible can be correctly 
interpreted only if said parameter controlling the interpretation and presentation thereof 
by a computer is rendered meaningful and made available for utilization in the user's 
computer. 

15 

Accoding to the invention preferably said parameter is encrypted using a first key, and 
the decryption of said encrypted parameter is performed using a second key stored in a 
tamperproof unit connected to the user's computer. Also, it is possible to encrypt the 
first key prior to being stored in the tamperproof unit such that the key itself must be 
20 decrypted before it can be used for said decryption. 

Accoding to the invention the encryption of said parameter may takes place prior to the 
completion of the database contents for use, or take place when a user fetches 
information from a database, in which preferably no parameter is pre-encrypted. 

25 

The decryption will take place when the computer in the processing of information 
fetched from the database hits an indication of encryption being performed. This 
indication is of such a kind that enables a computer program running on the user's 
computer to localize the encrypted parameters to decrypt them and use them for the 
30 control of the interpretation and presentation of the data they are associated with. 

According to a preferred embodiment of the invention, when the computer hits such an 
indication of encryption being performed, a communication channel is established 
between the computer and the tamperproof unit through which the encrypted parameters 
35 are transferred to the tamperproof unit in a first transfer step for the decryption therein by 
a processor included in the unit. The decrypted parameters are then transferred in the 
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opposite direction through the communication channel in a second transfer step for the 
further unitization in the computer in respect of correct interpretation and presentation of 
the data they are related to. 

5 In a special embodiment of the invention the first and second algorithms as well as the 
corresponding first and second keys are determined in accordance with an asymmetric, 
two-key cryptographic arrangement (public-key / private-key cryptosystem), such as the 
RSA cryptosystem. In this case, preferably the first key is the known (public) key, and 
the second key is the secret (or private) key in the cryptographic arrangement. 

10 

In another version of the invention, where at least one parameter associated with a 
portion of the database contents is moved from the database to a hidden storage 
location, this is accomplished by storing the moved parameters in a tamperproof unit to 
be connected to the computer of a user. So, when the computer in the processing of 

15 information fetched from the database misses a parameter for the interpretation and 
presentation of data being processed, the computer establishes a communication 
channel to the tamperproof unit to communicate said absence. The tamperproof unit 
then provides the missing parameter which is stored in the unit, and transfers this 
parameter the opposite direction through the communication channel such that the 

20 missing parameter can be used in the computer for the correct interpretation and 
presentation of the data concerned. 

In another aspect, the invention relates to a device for preventing the contents of a 
database to be used without permit. According to the invention this device is characteri- 

25 zed in that it comprises crypto-equipment adapted to render meaningless a selected 
portion of the contents of the database by performing encryption or otherwise corruption 
of at least one parameter associated with the selected portion for the control of the 
interpretation and presentation to a user by a computer, of data in that part of the 
database in such a manner that the parameter is unavailable for utilization in the user's 

30 computer, and said data cannot be correctly interpreted for the presentation to the user. 

The crypto-equipment according to the invention is preferably adapted to encrypt said 
parameter using a first key prior to the completion of the database contents for use, or at 
the same time as when a user fetches information from a database, the database 
35 preferably not being pre-encrypted. 
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In a preferred embodiment of this device which comprises a tamperproof unit to be 
connected to a user's computer, and having a computer-readable storage medium and a 
processor of its own, the tamperproof unit is adapted to decrypt in accordance with a 
decryption algorithm the encrypted parameter using a second key stored in the 
5 tamperproof unit which is different from said first key. 

Preferably, the tamperproof unit is adapted to perform by a command from the computer 
to which the unit is connected said decryption of the encrypted parameter when the 
computer in the processing of information fetched from the database hits an indication of 

10 at least one encrypted parameter being present in the fetched information. This is 

achieved by adapting the computer to establish a communication channel between itself 
and the tamperproof unit when it hits said indication of the presence of at least one 
encrypted parameter. Through this communication channel the computer then transfers 
in a first transfer step the encrypted parameters to the tamperproof unit for the 

15 decryption by means of the unit's own processor. Then, the tamperproof unit returns in 
a second transfer step the result of the decryption of the encrypted parameters through 
the communication channel to the computer for further utilization therein. 

In still another aspect, the invention relates to a device for preparing a database in such 
20 a manner that the contents thereof cannot be used without permit. According to the 
invention this device is characterized in that it comprises crypto and preprocessing 
equipment adapted to render meaningless at least one selected portion of the contents 
of the database by performing encryption using a first key, of at least one parameter 
associated with the selected portion for the control of the interpretation and presentation 
25 to a user by a computer, of data in that portion of the database. At the same time the 
preprocessing equipment includes in a start-up file or the like for the whole of the 
database, or in a start or introductory field for that portion of the database having an 
encrypted parameter associated therewith an indication of at least one encrypted 
parameter being present in the database and where such encrypted parameters are 
30 located. This indication is intended to be used for the establishment of communication 
with a tamperproof unit connected to a user's computer. 

In still a further aspect, the invention relates to a device for allowing exploitation of the 
contents of a database only with a corresponding permit According to the invention this 
35 device is characterized in that it comprises preprocessing equipment adapted to render 
meaningless at least one selected portion of the contents of the database by moving to a 



10 
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storage location hidden to the user at least one parameter associated with the selected 
portion for the control of the interpretation and presentation to a user by a computer, of 
data in that part of the database in such a manner that the parameter is unavailable for 
the utilization in the user's computer, and said data can then be correctly interpreted only 
if said parameter is made available for the utilization in the user's computer. 

In a version of this latter device, the preprocessing equipment is adapted to move said 
parameters from the database to a storage in a tamperproof unit to be connected to a 
user's computer. 



With the methods and devices according to the invention a mechanism or arrangement 
is achieved which makes it utmost difficult to exploit the contents stored in a database, 
such as in the form of objects, entities, data occurrences, entries in tables, etc. if 
permission from the copyright proprietor does not exist. Also, this hinderance against 
15 unauthorized use can be made even more secure, such as by distorting the communica- 
tion of a user's computer with the tamperproof unit connected thereto. 

Brief Description of Drawings 

In the following description, it is referred to the accompanying drawings, on which: 
20 Figure 1 is a simplified diagram showing the principle of a typical current situation 
whereby items of information are transferred from a database, 
Figure 2 is a simplified diagram showing the principle corresponding to that of Figure 1, 

and including a peripheral unit according to the invention, 
Figure 3 is a simplified diagram showing the principle of retrieval of objects, 
25 Figure 4 is an example of the communication of a user terminal with a database 
manager encrypted at several levels. 
Figure 5 is an example of a sequence for encrypting data in a database, and 
Figure 6 is an example of a sequence for decrypting data in a database. 

30 Description of Preferred Embodiments 

It is referred to Figures 1, 2 and 3, all of which serving to illustrate the principle of using 
a database 1 in which the stored information has the form of data which must be 
"translated 11 from a computer language to a language or manner of expression 
comprehensible to human beings. 



35 
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In Figure 1, a typical flow of data between a user and a database is demonstrated. 
When a users has established connection with and been given admission to the 
database 1, data from the database 1 is transferred to the user's computer through the 
connection 4, the data being available either locally at a workstation (in the case of the 
5 CD-ROM) or centrally through a network (INTERNET). Possibly the user must enter a 
password to gain access to the database, and then usually all information stored in the 
database is available for the exploitation by the user. When the user has gained access 
to the database the data is processed in the user's computer by means of special 
software so as to present the contents of the database to the user in a comprehensible 
10 form. In principle, once the data is fetched and transferred from the database, the data 
can currently be unrestricted copied and distributed. This also applies to data stored 
locally, such as on a CD-ROM. 

Given the technology of today, it is relatively simple and inexpensive to read out and 
15 store on a CD-ROM, for example, the whole or major parts of a database. Then, such a 
CD-ROM copy can freely be used by non-authorized users. The result is that already it 
has become very difficult to safeguard copyrights by means of known methods of 
protecting databases, and in the future, this problem will be even larger given the 
possibility of inter alia recording data on (or "burn") SD-CDs (Super Density Compact 
20 Disks) having a storage capacity of about 4.8 gigabytes per layer. 

The stored data of a database which is to be protected against abuse is represented in a 
format which requires a special (viewer) program to present the data in a form directed 
at human beings, i.e. as audio, images, text, etc. Such special software should be 
25 independent of the information content, and can usually be employed with respect of all 
items of information having the same format. Therefore, it is not practical to protect this 
special software. The protection of the information, i.e. the objects or data in the 
database, seems to be a better solution. 

30 In any "packed", or coded representation of data there are vital components, namely 
parameters, which are necessary to interpret and present the data correctly to the user. 
Therefore, a basis for the present invention is that if such parameters are stored in an 
encrypted form in the database, it will not be possible for a non-authorized user to 
interpret the contents of the database. 



35 
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The part of the information in the database that according to the invention is encrypted 
according to an encryption algorithm using a first key, is therefore selected on the basis 
that it is completely decisive for enabling the corresponding portion of information in the 
database to be correctly interpreted. The selected part of the information in the 
5 database which is encrypted comprises one or more parameters associated with the 
corresponding portion of the database information for the purpose of controlling the 
interpretation and presentation of the latter to a user such that, upon the decryption of 
the encrypted parameters, the corresponding part of the information can be correctly 
interpreted and presented in a correct manner to the user. Such parameters are 
10 generally associated with, or included in each individual object of the database, or 
groups of corresponding object. 

To be able to interpret the contents of the database, a user having permit therefor must 
use certain items of information for the decryption of the parameters of the database 

15 which are decrypted. The items of information enabling the decryption may be stored in 
a separate tamperproof unit of equipment, for example, such as a dongle or a smart 
card being machine readable by the user's workstation. Software for the communication 
with the tamperproof unit for the purpose of having the parameters decrypted when data 
from the database is to be used, must in this case be integrated in the special software 

20 installed on the user's workstation or terminal. Hence, the special software must provide 
for establishing a link to the database (or database server), and that access to the 
database is granted, as well as unpack the desired data fetched from the database to 
interpret the data with respect of their presentation in a comprehensible manner to the 
user. 

25 

To make it possible for the data to be used by authorized users only, (e.g. paying users 
or customers only), and not to be distributed in a usable form without restrictions, the 
contents of the database 1 may be encrypted with reference to Figure 2, in the following 
manner. 

30 • A selection of parameters belonging to the database objects 6 (which are packed) is 
encrypted. The various items of information may in principle be encrypted using 
different keys. 

• In the initial phase (when the user establishes communication with the database) a 
data file, hereinafter called the start-up file 5, is transferred to the user. The start-up 
35 file contains "guiding information" hereinafter called key data, in encrypted form. The 
encrypted key data js transferred to a peripheral device 3, such as a card reader 
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station for smart cards, which then finds the keys previously stored in the tamperproof 
unit (on the smart card) and which is to be employed (by that unit) for the decryption 
of the parameters contained in the objects received from the database. 

5 In a version of the present invention, the key data in the start-up file may be encrypted 
either using a known (public) key to be decrypted in the tamperproof unit using a 
corresponding secret or private key stored on the smart card, for example, which may be 
denoted a master key, or be encrypted using the secret key, such as with symmetric 
cryptographic systems, e.g. DES. Only when the parameters are decrypted the objects 
10 or data can be unpacked to be presented to the user 4. 

By having such an extended data format the interpretation of the data will take place as 
explained in the following. 

15 The tamperproof unit contains a master key which is known to the "owner" of the 
database only and not available to the user. When the user wishes to establish 
communication with the database to retrieve data therefrom, the database start-up file is 
transferred to the user. 

20 The special software reads the start-up file and then conveys the key data from the 
start-up file which is encrypted by a known key, to the peripheral unit. If the peripheral 
unit (or the smart card placed therein) is authorized for the use of that database, it 
contains a master key for the decryption of the encrypted key data of the start-up file. 
The key data comprises references and/or addresses to such keys that are prestored in 

25 the peripheral unit and which must be employed to decrypt the parameters of the objects 
for thus being able to interpret the objects correctly. 

The special software may recognize the encrypted parameters to convey them to the 
peripheral unit. Possibly each object contains an initial sequence defining which key is 

30 to be employed in the decryption of the parameters of that object and an indication as to 
the position of the encrypted parameters. In this way, in principle all objects in the 
database may be encrypted using different keys, furthermore enabling authorization of 
the tamperproof unit at several levels. As mentioned above, such an initial sequence is 
itself preferably encrypted such that the decryption must be carried out by means of the 

35 master key. 
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The tamperproof unit decrypts the encrypted parameters by means of the deducted keys 
and returns the result to the special software which now can utilize the decrypted 
parameters to interpret and display correctly the corresponding items of information, and 
the processing continues further. 

5 

In Figure 3, a further development of the arrangement just described is shown. The 
database 1 of Figure 3 may physically be located either in a local workstation (e.g. in the 
form of a CD-ROM), or be available through a network (e.g. through INTERNET). When 
the user establishes communication with the database the initial file is transferred in 

10 encrypted state to the user's computer 2 through the link 5 to the database 1 . The 
peripheral unit (the smart card) 3 receives the encrypted key data which is decrypted by 
means of the master key being present in the tamperproof unrt (on the smart card). The 
keys to be used for the decryption of the encrypted parameters are thereby determined 
in the tamperproof unit such that parameters can be obtained which enables the objects 

15 to be interpreted correctly, as is shown and described with reference to Figure 2. 

In the case of the database being a CD-ROM, the key data must already be encrypted in 
agreement with the tamperproof unit (smart card). The encryption algorithms being used 
are dependent on the application (CD-ROM, distributed databases, etc.), and in principle 
20 they may be either symmetric, e.g. of the DES type (Data Encryption Standard, Bureau 
of Standards, U.S.A., 1977), or asymmetric, e.g. of the RSA type (Rivest, Shamir, 
Adleman). 

To present the data a special software is used which communicates with the tamper- 
25 proof unit (smart card) 3 to enable the decryption of the parameters and the presentation 
of the data to the user. As a result, the objects (the data) being transferred from the 
database to a user will always be unusable in their present form. Therefore, the 
database (a CD-ROM, for example) can be distributed without restrictions and be copied 
in an unlimited number as it can be used only with a tamperproof unit (smart card) 
30 carrying the authorization and the correct master key. In other words, the permission to 
use the database is resident in the tamperproof unit (the smart card). 

Also, it is possible to place the access authorization to the data in a database at several 
levels by using different encryption keys on each of the objects in the database, or on 
35 groups of items of information in the database. Such a principle seems to be most 
interesting if access to the database in question is made through a network (e.g. 
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INTERNET), the method may, however, be used on local databases also, such as a 
database carried on a CD-ROM. 

Figure 4 demonstrates how the communication between a user terminal and a database 
5 manager can take place when having such encryption at multiple levels. The database 
manager and the user (in fact, the user's computer) start in respective initial states 1 and 
4 t respectively. When communication between user and database is established 
through the intermediate network (e.g. INTERNET) 13, in the example shown, a first 
authentication session 10 of the user is carried out while he and the manager still are in 

10 the initial state 1, 4. During this session, or this communication step, the master key 
being stored in the tamperproof unit (on the smart card) 9, is used. If the this unit (the 
smart card) 9 holds an authorization to exploit the database the user is granted access 
to a limited part of the database contents as indicated in Figure 4 by transition 14 having 
the meaning of "authorized OK". If the user is admitted to more than one "information 

15 layer" in the database (by authorization at multiple levels) the keys are transferred in 
encrypted form to the tamperproof unit which then decrypts the key data by means of 
the master key (on the smart card) to find which keys are to be utilized in the decryption 
of the parameters. 

20 In Figure 4, when the user is in the state denoted 5 and the database manager is in the 
state denoted 2, in a new communication step 11, the user can perform restricted 
operations (such as searching) in the database without transferring any data to his 
computer or terminal. Data which is found in the database in this manner, may then, at 
this level (level 0) be transferred to the user without being distorted. 

25 

When the user searches for information in the database at a higher level (levels 1, ... n) 
thereof, the database manager will distort or corrupt the objects (data) 3 in such a 
manner that they can be utilized only by assistance by the tamperproof unit (the smart 
card). In one embodiment of the process, the keys to be used for the decryption of the 
30 parameters at the various levels (level 1, ... n) can be transferred to the user during the 
authentication phase for temporary storage in the user terminal (in encrypted form), or in 
the tamperproof unit connected to the terminal, or they may already have been 
transferred to the smart card. 

35 Each corrupted object contains an initial sequence indicating which key identified by key 
number, for example, to be used for the decryption of the encrypted parameters in the 
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object, as well as where, i.e. in what position, the encrypted parameters are found in that 
object. In a further session 12 the corrupted items of information are transferred through 
the network 13 to the user. Then, the user can continue the communication with the 
database by means of the special software and render the objects usable by means of 
the tamperproof unit (the smart card) to have the database contents presented (at 8) in a 
comprehensible manner. 

Pyarn ple of m *s* a q e seq uence for a local database 

As shown in Figure 6, such a prosess is initiated when the user calls (at 1) the 
database. The user then (at 2) receives a message including a start-up file containing 
the following information: 

- a database identifier which is recognized in the tamperproof unit (by comparison with 
an identifier stored on the smart card, for example), and 

- a set of references to decryption keys (stored in the tamperproof unit, particularly on 
the smart card) to be used during the decryption of the encrypted parameters of the 
database. 

The references to the decryption keys, or the keys themselves, can be encrypted by a 
known (public) key corresponding to the master or private key stored in the tamper- 
proof unit (on the smart card) which is not available to the user. 

The start-up file contents will be forwarded (in session 2a) to the peripheral unit (the 
smart card) which then checks the identity of the database. Only if the identity of the 
database is recognized and accepted by the tamperproof unit (the smart card) the 
references to the decryption keys to be used are decrypted by means of a chosen 
decryption algorithm and master key. Then, in the tamperproof unit (the smart card), the 
decryption keys are determined for later use. If the identity of the database is not 
recognized nor accepted by the tamperproof unit, the user receives a message (at 5) 
saying that admission to the database is denied. 

If the user (in fact, the tamperproof unit) is authorized to exploit the database a home 
page or a table of contents for the database is presented to that person. Whether or not 
this object is to be encrypted is, of course, a decision of the database "owner". 



Starting from the home page or the table of contents the user can search for more 
information by "designating" (in session 3) one or more objects in the database. These 
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objects are packed and/or coded in a specific format (e.g. postscript, PDF, GIF, MPEG, 
and more) and thus contain parameters which are decisive for unpacking and/or 
decoding the contents in the objects for the presentation thereof in a way that is 
comprehensible to the user. At least some of the these parameters are encrypted, and 
5 the encrypted parameters must be recognized by the special software and/or decoding 
software to be forwarded to the tamperproof unit (the smart card) to be decrypted therein 
by means of the correct key. 

To obtain a "tidy" structure of the database it is sensible to use the same key for the 
10 encryption of parameters within one and the same object. The keys to be used and the 
position of the encrypted parameters in the objects are indicated in the initial sequence 
(header) of each object. This is necessary to enable corruption at multiple levels and at 
all times enabling the decryption of the correct parameter while the information in the 
object is in binary form. This heading or additional information accompanying the object 
15 should be encrypted at the same level as the start-up file, the master key of the 

peripheral unit and/or smart card being usable for the decryption of the heading. The 
cryptographic algorithm used may be the same for all objects. 

When the user (at 3) accesses and object the special software will receive (at 4) the 

20 initial sequence of the object and its contents in corrupted form. The initial sequence 8.1 
is transferred (at 6a) to the tamperproof unit to be decrypted using the master key. An 
indication as to which key to be used in the decryption of the parameters is stored in the 
tamperproof unit (on the smart card), and an indication as to where the encrypted 
parameters are located in the object is returned (at 6b) to the user's computer for the 

25 utilization by the special software such that the encrypted parameters can be located 
and transferred (at 7) to the tamperproof unit to be decrypted using the correct key (one 
specific key among ten keys, for example) stored in the tamperproof unit and defined in 
the initial sequence of the object. When the encrypted parameters 7.1, 7.2, 7.3, ... of the 
object are received by the special software they are forwarded (at 7) to the tamperproof 

30 unit to be decrypted in the tamperproof unit using the correct key, then being returned 
(at 8) to the user's computer. So, instead of the encrypted parameters, the special 
software will employ the decrypted parameters 4.1, 4.2, ... received from the tamperproof 
unit (the smart card) such that the format of the object can be correctly decoded or 
"unpacked" (in block 11) and the object be presented to the user in a comprehensible 

35 manner. If even better security is desirable, it is, of course, possible also additionally to 
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scramble the communication between the user's computer and the tamperproof unit (the 
smart card). 

Exam ple of message sequence fo r a remote database connected to a network 
5 In principle, this message sequence may be similar to that of a local database as 
described herein before. The major difference lies in that such databases, at the start, 
may be uncorrupted and that a distortion or corruption involving encryption of parameters 
in packed objects is carried out when a user accesses the database. Then the flow of 
authorization messages takes place between the user and the database manager 
10 located at the database. In general, the sequence is such as that shown in Figure 4. 
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Claims 

1. A method of preventing the contents of a database from being used without permit, 
whereby at least a selected portion of the contents of the database is caused to be 

5 incomprehensible to a user, said portion then being converted into comprehensible form 
by means of a key if permission exists, 

characterized in rendering meaningless said at least one selected portion (6; 
Figure 2) of the contents of the database (1; Figure 2) by encrypting, or otherwise 
corrupting, or moving from the database to a storage location hidden to the user at least 
10 one parameter (4.1, ... 4.m; Figure 5) associated with the selected portion for the control 
of the interpretation and presentation to a user by a computer, of data in that portion of 
the database in such a manner that the parameter is not available for utilization in the 
user's computer and said data cannot be correctly interpreted for the presentation to the 
user. 

15 

2. A method of allowing exploitation of the contents of a database only with a 
corresponding permit, whereby at least a selected portion of the contents of the 
database is caused to be incomprehensible to a user, said portion then being converted 
into comprehensible form by means of a key if permission exists, 

20 characterized in rendering meaningless said at least one selected portion (6; 
Figure 2) of the contents of the database (1; Figure 2) by encrypting, or otherwise 
corrupting, or moving from the database to a storage location hidden to the user at least 
one parameter (4.1, ... 4.m; Figure 5) associated with the selected portion for controlling 
the interpretation and presentation to a user by a computer, of that portion of the 

25 database in such a manner that the parameter is not available for utilization in the user's 
computer, and said data can be correctly interpreted only if said parameter is rendered 
meaningful and made available for utilization in the user's computer. 

3. A method according to claim 1 or 2 t 

30 characterized in encrypting said parameter (4.1 , ... 4.m) using a first key. 
and performing decryption of said encrypted parameter using a second key stored in a 
tamperproof unit connected to the user's computer. 

4. A method according to any of the proceeding claims, 

35 characterized in that the encryption of said parameter takes place prior to 
the completion of the database contents for use, or takes place when a user fetches 
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information from a database, preferably no parameter associated with the database 
contents being pre-encrypted. 

5. A method according to claim 3, 
5 characterized in encrypting the first key in accordance with an encryption 
algorithm and a third key prior to the storage thereof in said tamperproof unit, and 
decrypting the encrypted key in accordance with a decryption algorithm and a fourth key 
for the use thereof as said second key. 

10 6. A method according to any of the proceeding claims, 

characterized in that the decryption of the encrypted parameter which is 
performed using the second key takes place when the computer in the processing of 
information fetched from the database hits an indication of encryption being performed 
which indicates that at least one encrypted parameter is present in the information 

15 fetched and where such encrypted parameters are located such that when being 

localized and decrypted the decrypted parameters can be used to control the interpreta- 
tion and presentation of the related data. 

7. A method according to claim 6, 

20 characterized in that when the computer hits said indication of encryption 
being performed, a communication channel is established between the computer and the 
tamperproof unit through which the encrypted parameters are transferred to the 
tamperproof unit in a first transfer step for the decryption therein by a processor included 
in the unit, the respective decrypted parameters then being transferred in the opposite 

25 direction through the communication channel in a second transfer step for the further 
unitization in the computer in respect of correct interpretation and presentation of the 
related data. 

8. A method according to claim 6 or 7, 

30 characterized in providing said indication of encryption being performed as 
an instruction or the like resulting in the establishment of said communication channel 
between the computer and the tamperproof unit 

9. A method according to claim 6 or 7, 

35 characterized in embedding said indication of encryption being performed in 
a start-up file or the like for the whole of the database, and/or in a start or introductory 
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file for the individual portions of the database having an encrypted parameter associated 
therewith, this indication preferably having the form of a reference. 

10. A method according to any of the proceeding claims, 

5 characterized in that the encryption and decryption algorithms using said 
first and second keys are determined in accordance with an asymmetric, two-key 
cryptographic arrangement (public key cryptosystem), such as the RSA cryptosystem, 
the first key preferably being the known (public) key and the second key being the secret 
(or private) key in sue* a cryptographic arrangement, or in accordance with a symmetric 
10 cryptographic arrangement 

11. A method according to claim 1 , 

characterized in that, in the case at least one parameter associated with a 
portion of the database contents is moved from the database to a hidden storage 

15 location, this is accomplished by storing the moved parameters in a tamperproof unit to 
be connected to the computer of a user such that when the computer in the processing 
of information fetched from the database misses a parameter for the interpretation and 
presentation of data being processed thereby, a communication channel is established 
between the computer and the tamperproof unit through which said absence is 

20 communicated to the tamperproof unit in a first transfer step, the unifs own processor 
then providing the missing parameter which is stored in the unit and then is transferred 
the opposite direction through the communication channel in a second transfer step for 
the further utilization in the computer with respect of correct interpretation and 
presentation of the data concerned. 

25 

12. A device for preventing the contents of a database to be used without permit, the 
device being adapted to cause at least one selected portion of the database contents to 
be incomprehensible to a user, and then to be converted by processing in a user's 
computer into comprehensible form by means of a key if permission exists, 

30 characterized in that the device comprises crypto-equipment adapted to 
render meaningless at least one selected portion (6; Figure 2) of the contents of the 
database (1; Figure 2) by performing encryption or otherwise corruption of at least one 
parameter (4.1, ... 4.m; Figure 5) associated with the selected portion for the control of 
the interpretation and presentation to a user by a computer, of data in that part of the 

35 database in such a manner that the parameter is unavailable for utilization in the user's 
computer, and said data cannot be correctly interpreted for the presentation to the user. 
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13. A device according to claim 12, 

characterized in that said crypto-equipment is adapted to encrypt said 
parameter (4.1, ... 4. m) using a first key prior to the completion of the database contents 
for use, or when a user fetches information from a database, the database preferably not 
5 being pre-encrypted. 

14. A device according to claim 13 comprising a tamperproof unit to be connected to a 
user's computer, the tamperproof unit at least comprising a computer-readable storage 
medium and a processor of its own. 

10 characterized in that said tamperproof unit is adapted to decrypt in 
accordance with a decryption algorithm the encrypted parameter using a second key 
stored in the tamperproof unit which is different from said first key. 

15. A device according to claim 14, 

15 characterized in that said tamperproof unit is adapted to perform by a 
command from the computer to which the unit is connected said decryption of the 
encrypted parameter when the computer in the processing of information fetched from 
the database hits an indication of at least one encrypted parameter being present in the 
fetched information and where such encrypted parameters are present in the information 

20 fetched from the database. 

16. A device according to claim 15, 

characterized in that said computer is adapted to establish a communication 
channel between itself and the tamperproof unit when it hits said indication of the 
25 presence of at least one encrypted parameter to transfer through this communication 
channel the encrypted parameters to the tamperproof unit in a first transfer step for the 
decryption by means of the unit's own prooessor which after the decryption of the 
encrypted parameters returns the result through the communication channel in a second 
transfer step to the computer for further utilization therein. 

30 

17. A device for preparing a database such that the contents thereof cannot be used 
without permit, the device being adapted to cause at least one selected portion of the 
database content to be incomprehensible to a user and by the processing in a user's 
computer being converted into comprehensible form by means of a key if permission 

35 exists, 
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characterized in that the device comprises crypto and preprocessing 
equipment adapted to render meaningless said at least one selected portion (6; Figure 
2) of the contents of the database (1; Figure 2) by performing encryption using a first 
key, of at least one parameter (4.1, ... 4.m; Figure 5) associated with the selected 
5 portion for the control of the interpretation and presentation to a user by a computer, of 
data in that portion of the database and at the same time include in a start-up file or the 
like for the whole of the database, or in a start or introductory field for that portion of the 
database having an encrypted parameter associated therewith an indication of at least 
one encrypted parameter being present in the database and where such encrypted 
10 parameters are located, said indication being intended to be used for the establishment 
of communication with a tamperproof unit connected to a user's computer. 

18. A device for allowing exploitation of the contents of a database only with a 
corresponding permit, the device being adapted to cause at least one selected portion of 

15 the database content to be incomprehensible to a user and by the processing in a user's 
computer being converted into comprehensible form by means of a key if permission 
exists, 

characterized in that the device comprises preprocessing equipment 
adapted to render meaningless said at least one selected portion (6; Figure 2) of the 

20 contents of the database (1 ; Figure 2) by moving to a storage location hidden to the user 
at least one parameter (4.1, ... 4.m; Figure 5) associated with the selected portion for the 
control of the interpretation and presentation to a user by a computer, of data in that part 
of the database in such a manner that the parameter is unavailable for the utilization in 
the user's computer, and said data can be correctly interpreted only if said parameter is 

25 made available for the utilization in the user's computer. 

19. A device according to claim 18, 

characterized in that said preprocessing equipment is adapted to move said 
parameters from the database to a storage in a tamperproof unit to be connected to a 
30 user's computer. 
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